[OSM-talk] Why doesn't OSM implement a simple measure to protectit's users and passwords?

John F. Eldredge john at jfeldredge.com
Tue Dec 22 16:27:25 GMT 2009 

There also does not appear to be any provision on the OSM web site for changing to a new password, which is something that one should do occasionally.  At least, if there is a way to do so, I haven't found it.

-- 
John F. Eldredge -- john at jfeldredge.com
"Reserve your right to think, for even to think wrongly is better than not to think at all." -- Hypatia of Alexandria

-----Original Message-----
From: John Smith <deltafoxtrot256 at gmail.com>
Date: Wed, 23 Dec 2009 00:11:43 
To: Talk Openstreetmap<talk at openstreetmap.org>
Subject: [OSM-talk] Why doesn't OSM implement a simple measure to protect
	it's users and passwords?

When does anyone plan to use SSL to protect passwords and users on OSM?

I noticed the other day about how JOSM puts this in it's MOTD:

"Your username and password are sent to the server unencrypted. If you
do not like this, do not upload."

While I'm aware that this is occurring, many others may not and may be
put off with statements like the above. While removing that statement
from JOSM might fix some of the image problems, it doesn't do anything
for real security.

There has even been a bug on this issue for 3 years!

http://trac.openstreetmap.org/ticket/275

This is even more concerning when you add into the mix the UK
government is trying to record globs and globs of additional
information on data travelling across internet links in the UK, among
other things.

http://go.theregister.com/feed/www.theregister.co.uk/2009/12/22/mobile_imp/

As has been pointed out on the trac ticket, OSM should be eligible for
a free cert from godaddy, then there is ideological reasons for
supporting other options like CAcert, just like many support OSM for
ideological reasons rather than Google.

I realise there is some APIs floating about that use alternative
authentication schemes, but the majority of users will be sending
their passwords (and everything else for that matter) clear text over
the internet for all and sundry to snoop on.

Is it really reasonable to not offer SSL encryption?

_______________________________________________
talk mailing list
talk at openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk

More information about the talk mailing list